Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Vulnerability Development: Re: Problem with xkill

Re: Problem with xkill

From: KF <dotslash_at_snosoft.com>
Date: Thu, 04 Apr 2002 04:59:42 -0500

I guess the real question is did your friend indeed type xhost + yourbox
or was it already set as xhost + for him due to a bad default entry in
an X config file? This has happened in the past ... SGI was real bad
about it and I think it was even encouraged at one time for the sharing
of graphical apps. Mandrake and SCO have had the same issue recently.

-KF

Ron DuFresne wrote:

>
>But, to get this to work, you first had to take control of the other users
>X window display, so the controls must not be strict enough if this
>was able to be done.
>
>I think this is what Valdis.Kletnieks was trying to tell you.
>
>
>Thanks,
>
>
>Ron DuFresne
>
>
>On Fri, 22 Mar 2002, anthony gruppuso wrote:
>
>>I understand that, we use a very strict host access control list here on
>>all Xserver based devices/products; I just thought it was interesting
>>that xkill behaved in that manner. Initally I was under the impression
>>that it would function like a graphical kill, but apparently that is not
>>the case.
>>
>>Anthony (Joe) Gruppuso
>>
>>-----Original Message-----
>>From: Valdis.Kletnieks_at_vt.edu [mailto:Valdis.Kletnieks_at_vt.edu]
>>Sent: Friday, March 22, 2002 5:09 PM
>>To: Anthony Gruppuso
>>Cc: Bugtraq_at_securityfocus.com; vuln-dev_at_securityfocus.com
>>Subject: Re: Problem with xkill
>>
>>
>>On Fri, 22 Mar 2002 14:54:03 EST, Anthony Gruppuso said:
>>
>>>I don't know what possesed me to try this, but under Digital UNIX 5.0,
>>>as a normal user, I was able to set my DISPLAY to the IP address of
>>>another user who was running a seperate session, and run xkill.
>>>
>>xkill (like any other X client) uses the standard X access control
>>scheme.
>>
>>Most likely, the other user had done an 'xhost +' or 'xhost +yourhost'.
>>
>>That's why xauth and friends exist, to stop games like this...
>>
>>--
>> Valdis Kletnieks
>> Computer Systems Senior Engineer
>> Virginia Tech
>>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>"Cutting the space budget really restores my faith in humanity. It
>eliminates dreams, goals, and ideals and lets us get straight to the
>business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
>OK, so you're a Ph.D. Just don't touch anything.
>
>
>
Received on Mar 23 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]